The present invention relates to a system for sharing conditional access data, such as control words, between different conditional access systems. The CA data is used to encrypt access-controlled data that is subsequently decrypted and stored by an authorized terminal. In one embodiment, the invention is used to provide CA data at a cable television headend in different formats to authorize corresponding groups of terminals to access encrypted programming services.
The following acronyms and terms are used:                ATM—Asynchronous Transfer Mode        CA—Conditional Access        CAP—Conditional Access Provider        CPU—Central Processing Unit        CRC—Cyclic Redundancy Check        CW—Control Word        DES—Data Encryption Standard        DS—Data Stream        ECM—Entitlement Control Message        EMM—Entitlement Management Message        IP—Internet Protocol        LAN—Local Area Network        MMDS—Multichannel Multipoint Distribution System        MPEG—Moving Picture Experts Group        OOB—Out-of-band        
P—program/content identifier or descriptor                PAT—Program Association Table        PC—Personal Computer        PID—Packet Identifier        PMT—Program Map Table        QAM—Quadrature Amplitude Modulation        SAT—Satellite        SONET—Synchronous Optical NETwork        STA—Subscriber Terminal Authorization        T—Time        TCP—Transmission Control Protocol        UDP—User Datagram Protocol        VOD—Video On Demand        
Access to data that is provided to subscriber terminals must be strictly controlled to maintain the economic viability of subscriber networks, such as cable television networks. Accordingly, various schemes have been developed to encrypt the delivered data, e.g., using encryption schemes such as DES, and to provide associated CA data only to specific authorized terminals. Typically, the data is encrypted according to one or more cryptographic keys, and the CA data allows the authorized terminals to recover the key(s) to decrypt the data. Moreover, the encryption keys may change often, such as every second or faster.
To promote competition among suppliers, network operators and others often use terminals from different sources. The different sources (or even different models from the same source) typically require the CA data to be in a specified format due to their use of proprietary access control schemes. However, interoperability among the different terminals must also be assured. Moreover, the provisioning of CA data in the different formats must be carefully synchronized, and must account for factors such as cryptographic processing time, frequency of key changes (e.g., length of crypto-periods), initialization considerations, and so forth.
Accordingly, it would be desirable to provide a system for delivering CA data in compatible formats for different types of terminals in a network that addresses the above and other concerns. The system should allow equipment from two or more CA providers to communicate with one another, e.g., at a common headend, to synchronize the delivery of the corresponding CA data.
The system should be useful in any network that carries CA data, including a television network (including satellite, cable, fiber, hybrid fiber-coax, MMDS or other terrestrial broadcast networks), and computer networks, including multicast-IP and ATM networks.
The system should deliver CA data, such as control words used for encryption, from a primary (master) CAP, which controls encryption, to one or more secondary CAPs. The CA data should be delivered to the secondary CAPs either in-band with the access-controlled programming services, or out-of-band, e.g., via a separate network, such as one using the Ethernet standard.
The CA data should be delivered to the secondary CAPs with a sufficient lead time that is based, e.g., on a processing time requirement of the secondary CAPs.
The system should avoid the need for the secondary CAPs to request the CA data from the primary CAP.
The system should enable essentially real-time “on the fly” encryption of data, such as video, audio, computer games and the like.
Optionally, the system should allow delivery of the CA data to the secondary CAPs well ahead of time for later use, e.g., when the content is pre-encrypted and stored, then subsequently provided to a user terminal, such as in a video on demand service.
The system should be compatible with either a centralized or a distributed CA network.
The system should be usable in any packet-based information delivery system that requires shared CA data, including, e.g., SONET, ATM, IP and MPEG networks.
The present invention provides a system having the above and other advantages.